Right security rules for Firebase - Firebase allow public read/write without security warnings

1
votes

I am building an app where anonymous users can read and contribute some data from their browser. I am getting frequent warnings about this being not secure and users being able to wipe out my database.

Right now, in development this is OK as the application is not public but i want to avoid the security concerns.

I do not want to have users to create a login for the application.

Firebase security rules currently

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if
1
firebasegoogle-cloud-firestorefirebase-security
Hi @Ramakay, if the below answer was helpful, please consider upvoting it and marking it as accepted. Otherwise, specify what other issues you have regarding your original question. Thanks! - sllopis

1 Answers

2
votes

Right now, in development this is OK as the application is not public but i want to avoid the security concerns.

Actually, it's not really OK. All someone has to do is guess your project name (or stumble upon it by generating random strings, similar to guessing a password), and they can start filling up your database with documents, or delete everything that's there. It wouldn't be the first time that's happened.

If you want to temporarily allow full access up to some target date (like the default security rules set up when you create a new project), you can just copy that:

allow read, write: if request.time < timestamp.date(2020, 7, 12);

This will allow full access until tomorrow, July 12, 2020.

This should be a good reminder to set proper rules for your project in the future. There is no real "secure" option other than creating proper security rules for your app's specific needs.